rule Saefko
{
meta:
    author = "@neonprimetime"
    description = "Remcos RAT"
strings:
    $a1 = "SeafkoAgent" wide ascii nocase
    $a2 = "HTTPClinet" wide ascii nocase
    $a3 = "INFECTIONS" wide ascii nocase
    $a4 = "FileManagerMsgs" wide ascii nocase
    $a5 = "ProcessManagerMsg" wide ascii nocase
    $a6 = "SAEFKO" wide ascii nocase

    $b1 = "<RecordAudio>"
    $b2 = "<SatartUp>"
    $b3 = "get_server_address"
    $b4 = "irc_clinte"

condition:
    3 of ($a*) or 3 of ($b*)
}
